BothanSpy & Gyrfalcon: CIA Malware To Steal SSH Credentials From Windows & Linux PCs


Short Bytes: WikiLeaks has recently published new documents, revealing new CIA malware implants. The first implant, named BothanSpy, targets SSH client Xshell on Windows machines. The second implant, called Gyrfalcon, targets OpenSSH clients on Linux system. Both implants are capable of stealing user credentials and spying on the session traffic.

While Windows users were getting affected by new threats like WannaCry and Petya/NotPetya, Linux users stayed untouched. However, this doesn’t mean that Linux is an unhackable operating system. Just last week I told you about CIA’s OutlawCountry malware that targetted Linux machines using malicious kernel modules.

Today, I’m going to tell you about two more CIA malware unveiled by WikiLeaks, as a part of the ongoing Vault 7 leak, which target Windows and Linux computers and steal SSH credentials and session traffic. Talking specifically about the tools, they are implants, which are basically malware payloads.

So, let’s tell you about these SSH hacking tools one by one in brief:

BothanSpy implant for Windows

As described by WikiLeaks in BothanSpy’s description, it’s an implant that targets SSH client Xshell for Windows. The implant is installed as a Shellterm 3.x extension on the user’s machine.

The program credentials are either username and password, which are stolen for all active SSH sessions. By using the Fire and Collect (F&C) channel, the stolen credentials are exfiltrated. Before running BothanSpy on a target machine, one needs to start the F&C handler.

Though not preferred, BothanSpy also works in Fire and Forget (F&F) mode. This mode creates files on the machine that contain the credential passed from Xshell, with AES-256 encryption.

You can read further technical details on BothanSpy in this leaked document. If you’re a Star Wars fan, you’ll love the references!

Gyrfalcon implant for Linux

Moving on to Linux machines, CIA’s Gyrfalcon implant targets OpenSSH clients on Linux-based operating systems like CentOS, RHEL, Ubuntu, SUSE, Debian, etc. Apart from stealing the user credentials of all active SSH sessions, Gyrfalcon can also collect session traffic.

Gyrfalcon compresses, encrypts, and stores the collected data into a file on the Linux system. By using a third-party application, the collection file is transferred to the attacker.

For using Gyrfalcon, the attacker must have a thorough knowledge of Linux/Unix command line and shells like bash, csh, and sh. The user also needs to understand the Linux computing environment for correctly configuring Gyrfalcon. The Gyrfalcon library needs to be installed with root privilege.

You can read more details regarding working and installation of Gyrfalcon in this leaked manual.

Read our complete WikiLeaks: Vault 7 coverage 

Also Read: Microsoft Is Adding AI-based Malware Protection To Windows 10
Adarsh Verma

Adarsh Verma

Fossbytes co-founder and an aspiring entrepreneur who keeps a close eye on open source, tech giants, and security. Get in touch with him by sending an email — [email protected]
More From Fossbytes

Latest On Fossbytes

Find your dream job